FBI’s search for ‘Mo,’ suspect in bomb threats, highlights use of malware for surveillance

The man who called himself “Mo” had dark hair, a foreign accent and — if the pictures he e-mailed to federal investigators could be believed — an Iranian military uniform. When he made a series of threats to detonate bombs at universities and airports across a wide swath of the United States last year, police had to scramble every time.

Mo remained elusive for months, communicating via ­e-mail, video chat and an ­Internet-based phone service without revealing his true identity or location, court documents show. So with no house to search or telephone to tap, investigators turned to a new kind of surveillance tool delivered over the Internet.

The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed on to his Yahoo e-mail account, from any computer anywhere in the world, according to the documents. The goal of the software was to gather a range of information — Web sites he had visited and indicators of the location of the computer — that would allow investigators to find Mo and tie him to the bomb threats.

Such high-tech search tools, which the FBI calls “network investigative techniques,” have been used when authorities struggle to track suspects who are adept at covering their tracks online. The most powerful FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.

Online surveillance pushes the boundaries of the constitution's limits on searches and seizures by gathering a broad range of information, some of it without direct connection to any crime. Critics compare it to a physical search in which the entire contents of a home are seized, not just those items suspected to offer evidence of a particular offense.

A federal magistrate in Denver approved sending surveillance software to Mo’s computer last year. Not all such requests are welcomed by the courts: An FBI plan to send surveillance software to a suspect in a different case — one that involved activating a suspect’s built-in computer camera — was rejected by a federal magistrate in Houston, who ruled that it was “extremely intrusive” and could violate the Fourth Amendment.

“You can’t just go on a fishing expedition,” said Laura K. Donohue, a Georgetown University law professor who reviewed three recent court rulings on FBI surveillance software, including one involving Mo. “There needs to be a nexus between the crime being alleged and the material to be seized. What they are doing here, though, is collecting everything.”

The FBI and Justice Department declined to comment on the case or the surveillance techniques used in pursuit of Mo.

But court documents related to the investigation, created when the FBI requested a search warrant before sending the surveillance software across the Internet to Mo, have offered a rare window into the bureau’s tools for tracking suspects through an online landscape replete with places to hide.

The case also shows the limits of the surveillance software, which have not yielded Mo’s arrest, and the legal complexities created when the location of a subject is unknown.

“The suspect could be down the street or on the other side of the planet,” said Jason M. Weinstein, a former deputy assistant attorney general in the Justice Department’s criminal division who is now a partner at Steptoe & Johnson. He said he had no direct knowledge of the investigation of Mo. The case, however, “raises the broader question of whether the rules that exist now are adequate to address the problem.”

Mystery caller

The first known call from Mo came in July 2012, two days after a troubled man with dyed orange hair had gunned down 12 people in a movie theater in the Denver suburb of Aurora, Colo., court documents show. Mo told the county sheriff’s office there that he was a friend of the alleged killer and wanted him freed. If the sheriff refused, Mo said, he would blow up a building full of potential victims.

Mo and a deputy sheriff ended up speaking by phone for three hours while also communicating for much of that time through e-mail. That left investigators with several leads, including a phone number and a working address on Gmail, the Web-based e-mail service from Google.

Yet Mo’s true identity remained a mystery. The number turned out to be for Google Voice, an Internet-based service that allows users to make phone calls from their computers. When authorities made an emergency request to Google for information from his account with the company, they learned that Mo had used an online tool called a “virtual proxy” to mask identifying information about the computer he was using. The name registered for the Google account, meanwhile, was “Soozan vf.”

There was no obvious reference to Iran, even though a set of pictures Mo later e-mailed to investigators appeared to show an olive-skinned man in his late 20s, wearing what court documents described as an “Iranian tan camouflaged military uniform.”

Over several months, Mo allegedly threatened to detonate bombs at a county jail, a DoubleTree hotel, the University of Denver, the University of Texas, San Antonio International Airport, Washington-Dulles International Airport, Virginia Commonwealth University and other heavily used public facilities across the country, court documents show.

Though no bombs were ever found, during his rash of threats Mo began using an ominous new e-mail address: “texan.slayer@­yahoo.com.” He also gave investigators a plausible full name for himself — Mohammed Arian Far — whose initials roughly fit a name he had used when registering his Google account: “mmmmaaaaffff.”

The account information, gathered after the approval of a search warrant in September 2012, listed a birthday that suggested Mo was 27 years old, fitting the estimates investigators made based on the pictures he had sent them. The field for country said “Iran.” The computer IP address used when Mo had signed up for the account in 2009 suggested he was in Tehran, the capital, at the time. But it wasn’t clear where in the city he lived, or even if he was still there.

Phishing for a suspect

The FBI team works much like other hackers, using security weaknesses in computer programs to gain control of users’ machines. The most common delivery mechanism, say people familiar with the technology, is a simple phishing attack — a link slipped into an e-mail, typically labeled in a misleading way.

When the user hits the link, it connects to a computer at FBI offices in Quantico, Va., and downloads the malicious software, often called “malware” because it operates covertly, typically to spy on or otherwise exploit the owner of a computer. As in some traditional searches, subjects typically are notified only after evidence is gathered from their property.

“We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “Judges are having to make up these powers as they go along.”

Former U.S. officials say the FBI uses the technique sparingly, in part to keep public references to its online surveillance tools to a minimum. There was news coverage about them in 2007, when Wired reported that the FBI had sent surveillance software to the owner of a MySpace account linked to bomb threats against a Washington state high school.

The FBI has been able to covertly activate a computer’s camera — without triggering the light that lets users know it is recording — for several years, and has used that technique mainly in terrorism cases or the most serious criminal investigations, said Marcus Thomas, former assistant director of the FBI’s Operational Technology Division in Quantico, now on the advisory board of Subsentio, a firm that helps telecommunications carriers comply with federal wiretap statutes.

The FBI’s technology continues to advance as users move away from traditional computers and become more savvy about disguising their locations and identities. “Because of encryption and because targets are increasingly using mobile devices, law enforcement is realizing that more and more they’re going to have to be on the device — or in the cloud,” Thomas said, referring to remote storage services. “There’s the realization out there that they’re going to have to use these types of tools more and more.”

The ability to remotely activate video feeds was among the issues cited in a case in Houston, where federal magistrate Judge Stephen W. Smith rejected a search warrant request from the FBI in April. In that case, first reported by the Wall Street Journal, Smith ruled that the use of such technology in a bank fraud case was “extremely intrusive” and ran the risk of accidentally capturing information of people not under suspicion of any crime.

Smith also said that a magistrate’s court based in Texas lacked jurisdiction to approve a search of a computer whose location was unknown. He wrote that such surveillance software may violate the Fourth Amendment’s limits on unwarranted searches and seizures.

Yet another federal magistrate judge, in Austin, approved the FBI’s request to conduct a “one-time limited search” — not involving the computer’s camera — by sending surveillance software to the e-mail account of a federal fugitive in December 2012.

In that case, investigators had evidence that the man, who allegedly had taken the identity of a soldier serving in Iraq, was living at a hotel in San Antonio, just more than an hour’s drive from Austin. The FBI’s surveillance software returned a detailed inventory of the fugitive’s computer, including the chips used, the amount of space on his hard drive and a list of dozens of programs loaded onto it. He was later arrested, convicted and sentenced to five years in prison for financial fraud and identity theft.

“Technology is evolving and law enforcement is struggling to keep up,” said Brian L. Owsley, a retired federal magistrate judge from Texas who was not involved in either case. “It’s a cat-and-mouse game.”

Still searching

Even though investigators suspected that Mo was in Iran, the uncertainty around his identity and location complicated the case. Had he turned out to be a U.S. citizen or a foreigner living within the country, a search conducted without a warrant could have jeopardized his prosecution.

Federal magistrate Judge Kathleen M. Tafoya approved the FBI’s search warrant request on Dec. 11, 2012, nearly five months after the first threatening call from Mo. The order gave the FBI two weeks to attempt to activate surveillance software sent to the texan.slayer@yahoo.com e-mail address. All investigators needed, it seemed, was for Mo to sign on to his account and, almost instantaneously, the software would start reporting information back to Quantico.

The logistical hurdles proved to be even more complex than the legal ones. The first search warrant request botched the Yahoo e-mail address for Mo, mixing up a single letter and prompting the submission of a corrected request. A software update to a program the surveillance software was planning to target, meanwhile, raised fears of a malfunction, forcing the FBI to refashion its malicious software before sending it to Mo’s computer.

The warrant authorizes an “Internet web link” that would download the surveillance software to Mo’s computer when he signed on to his Yahoo account. (Yahoo, when questioned by The Washington Post, issued a statement saying it had no knowledge of the case and did not assist in any way.)

The surveillance software was sent across the Internet on Dec. 14, 2012 — three days after the warrant was issued — but the FBI’s program didn’t function properly, according to a court document submitted in February,

“The program hidden in the link sent to texan.slayer@­yahoo.com never actually executed as designed,” a federal agent reported in a handwritten note to the court.

But, it said, Mo’s computer did send a request for information to the FBI computer, revealing two new IP addresses in the process. Both suggested that, as of last December, Mo was still in Tehran.

Craig Timberg is a national technology reporter for The Washington Post. Since joining The Post in 1998, he has been a reporter, editor and foreign correspondent, and he contributed to The Post’s Pulitzer Prize-winning coverage of the National Security Agency.

Ellen Nakashima is a national security reporter for The Washington Post. She covers cybersecurity, surveillance, counterterrorism and intelligence issues. She has also served as a Southeast Asia correspondent and covered the White House and Virginia state politics. She joined The Post in 1995.